diff options
author | Nikolay Amiantov <ab@fmap.me> | 2016-01-06 04:59:14 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2016-01-10 07:28:19 +0300 |
commit | f92cec4c1bf6406cb26f420e57f8ab77e3351752 (patch) | |
tree | 196619a4f68933952a602564e4cd344dd1166d9a /nixos/modules/security/acme.nix | |
parent | ded1a55b8dd42ff08870ca60e0cf45e25209971a (diff) | |
download | nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar.gz nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar.bz2 nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar.lz nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar.xz nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.tar.zst nixlib-f92cec4c1bf6406cb26f420e57f8ab77e3351752.zip |
nixos/acme: add allowKeysForGroup
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 2de57dd68cba..a2806973a35d 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -37,6 +37,12 @@ let description = "Group running the ACME client."; }; + allowKeysForGroup = mkOption { + type = types.bool; + default = false; + description = "Give read permissions to the specified group to read SSL private certificates."; + }; + postRun = mkOption { type = types.lines; default = ""; @@ -137,6 +143,7 @@ in systemd.services = flip mapAttrs' cfg.certs (cert: data: let cpath = "${cfg.directory}/${cert}"; + rights = if cfg.allowKeysForGroup then "750" else "700"; cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins @@ -159,9 +166,10 @@ in preStart = '' mkdir -p '${cfg.directory}' if [ ! -d '${cpath}' ]; then - mkdir -m 700 '${cpath}' - chown '${data.user}:${data.group}' '${cpath}' + mkdir '${cpath}' fi + chmod ${rights} '${cpath}' + chown -R '${data.user}:${data.group}' '${cpath}' ''; script = '' cd '${cpath}' |